RealTime IT News

Microsoft Caves to Users on Windows 7 Security

Windows 7's vaunted security is flawed. The good news is that, despite initial responses denying it, Microsoft announced today that it plans to deliver a comprehensive fix soon.

After a week of denying that the default setting for Windows 7's User Account Control (UAC) is too easy to compromise and could lead to malware disabling the very mechanism that's meant to keep users safe from attacks, Microsoft (NASDAQ: MSFT) Thursday caved in to users' demands.

If not fixed, many observers had said in their harangues, the issue could turn out to be Windows 7's Achilles' heel. In fact, Microsoft claimed as recently as early in the day on Thursday that Windows 7's UAC default settings are not flawed at all, but rather constitute a feature created "by design."

Further, the company argued, an attack program would already have to be installed on the user's PC in order to exploit the two holes in UAC found by third-party developers, a Microsoft executive insists. For that to happen, Microsoft asserts, the user would need to click to allow a malware download to the user's PC in the first place.

A few hours later, things changed. "We are going to deliver two changes to the [Windows 7] Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation …. Second, changing the level of the UAC will also prompt for confirmation," said a joint posting on the Engineering Windows 7 blog Thursday afternoon.

The post was co-signed by Steven Sinofsky, senior vice president of Windows and Windows Live Engineering, and Jon DeVaan, senior vice president of the Windows Core Operating System Division.

Windows 7 is currently in beta test and is in the hands of literally millions of users. The system has largely gotten rave reviews, including one group of hardcore fans that have started an online petition demanding the beta be terminated now and the software released immediately.

Microsoft continues to maintain Windows 7 will ship in the first quarter of 2010. In actuality, however, Windows 7 is expected to reach the release candidate stage of testing – the last testing step before commercial release – by the end of April. That's when the changes to UAC will be added.

Observers still differ on their bets as to when Windows 7 will actually be released – with estimates running from early June to late summer – but it will most certainly be available for the Christmas sales season, barring any showstopper bugs turning up between now and then.

A familiar headache

UAC is not new. It debuted with Windows Vista as a way to double check that changes to the operating system – such as installing new programs – are done under the auspices of high-quality security, including passwords that must be keyed in before such an installation proceeds.

While Vista's UAC got high marks for security, it was too disruptive for many users. In fact, many users became so frustrated with the constant dialog boxes and prompts popping up, asking for a password before continuing, that they simply disabled UAC altogether, thus defeating UAC's purpose.

Next page: What changes in Windows 7?